I'm running a PHP based application on IIS8, under Windows Server 2012. I'm trying to use a custom error page for failed authentication attempts – by replacing the 401 error page.
Here is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpRedirect enabled="false" destination="https://my.website.co.uk" />
<rewrite>
<rules>
<rule name="Hide Yii Index" stopProcessing="true">
<match url="." />
<action type="Rewrite" url="index.php" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
</rule>
</rules>
</rewrite>
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" path="/errors/401.htm" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
</configuration>
When I attempt to look at the website without supplying credentials, all I see is a blank page. The source of the page is totally blank too – no single html tag.
Any ideas how I make this work?
Best Answer
Think about what you are doing here. You are saying if the user has not been authenticated correctly, display this other page to the user. But this (401) page can only be displayed to authenticated users. So IIS is not allowed to show that page to the user and displays a blank page instead.
There are at least two ways around this, change your httpErrors to:
By changing the responseMode to
File, iis is not executing a URL anymore and instead loads the content of a file and sends it to the user. This always works regardless of the authenication status. The path is relative to the root of the web site.The other option is to add a web.config to your errors folders and allow anonymous authentication for this directory, it only has error pages after all.